SonicOS 7 System

Table of Contents

Configuring MAC IP Anti-Spoof Settings

To configure settings for a particular interface, click the Edit icon in the Configure column for the desired interface. The Edit Interface dialog is displayed for the selected interface.

Edit Interface

The following options are available:

  • Anti-Spoof Settings
    • Enable MAC-IP based anti-spoofing: To enable the MAC-IP Anti-Spoof subsystem on traffic through this interface
    • Static ARP: Allows the Anti-Spoof cache to be built from static ARP entries
    • DHCP Server: Allows the Anti-Spoof cache to be built from active DHCP leases from the SonicWall DHCP server
    • DHCP Relay: Allows the Anti-Spoof cache to be built from active DHCP leases, from the DHCP relay, based on IP Helper
  • ARP Settings
    • ARP Lock: Locks ARP entries for devices listed in the MAC-IP Anti-Spoof cache. This applies egress control for an interface through the MAC-IP Anti-Spoof configuration, and adds MAC-IP cache entries as permanent entries in the ARP cache. This controls ARP poisoning attacks, as the ARP cache is not altered by illegitimate ARP packets.
    • ARP Watch: Prevents ARP poisoning of connected machines to protect all clients’ PCs from man-in-the-middle attacks.
  • Miscellaneous Settings
    • Enforce Ingress anti-spoof: Enables ingress control on the interface, blocking traffic from devices not listed in the MAC-IP Anti-Spoof Cache.
    • Spoof Detection: Logs all devices that fail to pass Anti-spoof cache and lists them in the Spoof Detected List.
    • Allow Management: Allows through all packets destined for the appliance’s IP address, even if coming from devices currently not listed in the Anti-Spoof Cache.

After your setting selections for this interface are complete, click Save. After the settings have been adjusted, the interface’s listing is updated on the MAC-IP Anti-Spoof page. The green circle with white check mark icons denote which settings have been enabled.

The following interfaces are excluded from the MAC-IP Anti-Spoof list:

  • Non-Ethernet interfaces
  • Port-shield member interfaces
  • Layer 2 bridge pair interfaces
  • High availability interfaces
  • High availability data interfaces